Contact us
Eli Benitah

Eli Benitah

New Rules Deployed

August 11th, 2023

Facebook
Twitter
LinkedIn

Windows/Network Connection:

  1. Connection Initiated Via Certutil.EXE
  2. Equation Editor Network Connection
  3. Download a File with IMEWDBLD.exe
  4. Communication To Mega.nz

Windows/System or Application/Service Control Manager:

  1. Suspicious Service Installation Script
  2. Turla PNG Dropper Service
  3. CobaltStrike Service Installations – System
  4. Windows Defender Threat Detection Disabled – Service
  5. smbexec.py Service Installation
  6. Invoke-Obfuscation Obfuscated IEX Invocation – System
  7. Invoke-Obfuscation STDIN+ Launcher – System
  8. Invoke-Obfuscation VAR+ Launcher – System
  9. Anydesk Remote Access Software Service Installation
  10. Hacktool Service Registration or Execution


Drive Load:

  1. Usage Of Malicious POORTRY Signed Driver
  2. PowerShell Scripts Run by Services


Azure/Azure Active Directory:

  1. Member Added to Group – Azure AD
  2. Multiple Members Added To Group – Azure AD2


Windows/Image Load:

  1. Suspicious Unsigned Dbghelp-Dbgcore DLL Loaded
  2. PCRE.NET Package Image Load
  3. Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  4. Suspicious Interactive PowerShell as SYSTEM
  5. Suspicious Scheduled Task Write to System32 Tasks
  6. Suspicious Startup Folder Persistence


Windows/Files:

  1. UEFI Persistence Via Wpbbin – FileCreation
  2. WMI Persistence – Script Event Consumer File Write
  3. Creation of a WerFault.exe in Unusual Folder
  4. UAC Bypass Using Windows Media Player – File
  5. UAC Bypass Abusing Winsat Path Parsing – File
  6. Suspicious Interactive PowerShell as SYSTEM
  7. Suspicious Scheduled Task Write to System32 Tasks
  8. Suspicious Startup Folder Persistence
  9. NPPSpy Hacktool Usage
  10. Powerup Write Hijack DLL


Fortigate@Fortinet:

  1. Fortigate Audit – System Changes Outside Working Hours


Windows/Process Creation:

  1. Certificate Exported Via Certutil.EXE
  2. Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  3. Findstr Suspicious ParentCommandLine
  4. Use NTFS Short Name in Image
  5. Sdclt Child Processes
  6. Potential UAC Bypass Via Sdclt.EXE


Windows/PowerShell:

  1. Potential Registry Reconnaissance Via PowerShell Script
  2. PowerShell Set-Acl On Windows Folder – PsScript
  3. PowerShell Script Change Permission Via Set-Acl – PsScript


365 Defender:

  1. Collection – 365 Defender
  2. Defense Evasion – 365 Defender
  3. Ransomware – 365 Defender
  4. Credential Access – 365 Defender


Web Cache:

  1. Potential CVE-2303-36884 URL Request Pattern Traffic


Pulse Connect Secure@Pulse Secure:

  1. User Connected by VPN Outside Working Hours – Pulse Secure


Windows/Registry:

  1. UAC Bypass via Sdclt

More to explorer

New Deployed Rules

September 21, 2023 No Comments

NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4.

New Deployed Rules

September 14, 2023 No Comments

MSMQ:    1. MSMQ Corrupted Packet Encountered Network Share Object:    2. Protected Storage Service Access   3. Possible Impacket SecretDump Remote Activity

Sign up for our newsletter

Follow us:

Facebook-f Linkedin-in Twitter

Site map

Get in Touch:

[email protected]

+972-58-6333296

Hanofar 2, Raanana, israel

Contact Us >

Time to market

One-day SIEM integration

Learn more